Ransomware is a strategy for adversaries to make money – a strategy that’s proven successful. During this presentation, we will cover how ransomware works, ransomware trends to watch, best practices for prevention, and more. At the core of the discussion, Scott will explain how to build detections for common tactics, techniques, and procedures (TTPs) used by ransomware families and how to validate they work, ongoing, as part of the larger security program. Participants will leave this webinar with actionable advice to ensure their organization is more resilient to ever-evolving ransomware attacks.
2. What is Ransomware?
What is it and how does it work?
Trends
What are we seeing in the long term?
Prevention
Strategies to prevent infection in the first place.
Detection
Strategies to detect infection after it occurs.
3.
4.
5. 1: Make it too risky for those responsible
2: Make it less profitable when achieved
3: Make it harder to break in and stay in
Develop better strategies for detection and prevention
6. Exploit Developer
Identifies vulnerabilities in software and
weaponizes them for sale.
Threat Actor, Group, or Access Broker
(Affiliates)
Break into networks using a variety of
techniques and deploy ransomware software.
Or sell access.
Software Developer
Create ransomware software that can encrypt
files, provide communication channel, and
decrypt files.
25. What can I do to prevent ransomware
threat actors from getting in?
26. What can I do to prevent ransomware
threat actors from getting in?
Our definition of a
“vulnerability” has changed.
27. What can I do to prevent ransomware
threat actors from getting in?
Our definition of a
“vulnerability” has changed.
not just a missing patch
28. What can I do to prevent ransomware
threat actors from getting in?
Our definition of a
“vulnerability” has changed.
not just a missing patch
not just a weak configuration
29. What can I do to prevent ransomware
threat actors from getting in?
Our definition of a
“vulnerability” has changed.
not just a missing patch
not just a weak configuration
not just insecure code
30. What can I do to prevent ransomware
threat actors from getting in?
Our definition of a
“vulnerability” has changed.
not just a missing patch
not just a weak configuration
not just insecure code
Exploitation doesn’t require any of these.
31. We need to start thinking about
malicious behavior as a vulnerability.
32. The definition of “vulnerability”
needs to be extended to include
detection gaps.
We need to start thinking about
malicious behavior as a vulnerability.
33. We need to start thinking about
malicious behavior as a vulnerability.
The definition of “vulnerability”
needs to be extended to include
detection gaps.
You can’t prevent what you can’t detect.
35. Why are the industry averages still so low?
• Security products only deploy high-fidelity detections
• MSSP services only deploy high-fidelity detections
• MSSP contracts can be restrictive and expensive
• Missing & broken data sources:
You can’t generate alerts based on data you’re not
collecting!
23%
2021
77%
Visible Alerts
Blind exposure
36. % Improved
% N/A (New Tests)
% Worse
% Unchanged
Alert Coverage
Year over Year
*Single Client Example
38. KILL CHAIN: BEHAVIOR OPTIONS
Escalate Paid
Deploy
Target Remove
Exfiltrate
Access
Our goal should be to detect the threat actors
before they accomplish their goal
!
BREAK the cyber kill chain!
39. Between 60% and 80% alert coverage, is a realistic target.
It requires choosing the TTPs to cover for your business.
100% alert coverage is NOT required.
40. 2 Multi-Factor Authentication
should be enabled on all management interfaces
exposed to the internet. That includes all SaaS
and cloud partners. Passwordless
authentication.
Tabletop exercises are not enough!
• Miss disconnects between paper and reality - blind spots
• Can generate conclusions based on incomplete or inaccurate
information
• Can overlook breakdowns at the strategic, operational, and tactical
levels
1 Attack Surface Reduction
wherever possible. Especially for internet facing systems
and applications. Asset inventory and attack surface
monitoring.
• Driven by a Least privilege and the secure by default mindset.
• Detective control lifecycle should be managed in similar way.
• Emerging role of detection engineer; works with IR/SOC/TI
• https://attack.mitre.org/mitigations/enterprise/
3 Vulnerability Management
should continue to be a priority. At a minimum, it should
include asset, configuration, patch, application, Active
Directory, and cloud management.
5 Segment and Isolate
sensitive systems, applications, data and privileges to help
slow down and/or block threat actors. Don’t forget about your
management & backup platforms!
6 Test All of Your Controls
regularly through security audits, penetration tests, detective control
reviews, and security awareness training. Continuous testing.
Trust but verify!
4 Protect & Validate Recovery Capabilities
When was the last time you tried to restore a backup, and how
long would that take for the entire company? Immutable & offline.
41. Open-Source Software
Inventory Share Access
in Active Directory environments
automatically
Identify HIGH RISK Shares
based on common names, files, and
privileges
Prioritize Remediation
using environment specificanalytics
ISSUE
We are catching ransomware too late in the cyber kill chain!
SOLUTION
Today we’ll talk about trying to be less dependent on malware specific IoCs
Move towards developing behavior-based detections that are threat actor agnostic
That way we can detect threat actors further up the cyber kill chain.
BONUS
* If done well, can allow companies to: better measure the real detection coverage develop key performance indicators to help guide/track our development/investments
Together this group of profiles creates an ecosystem that support Ransomware as a Service (RaaS).
Ransomware as a service (RaaS) is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks.
Affiliates earn a percentage of each successful ransom payment.
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
This is a simplified kill chain that reads left to right.
Attacks are on the rise again
Opportunistic feeds targeted
Ransomware Task Force saw about 27% paying in 2020.
https://www.trellix.com/en-us/threat-center/threat-reports/apr-2022.html
https://www.sophos.com/en-us/content/state-of-ransomware
Getting clear information is hard.
We only see what is reported
The sample have their own bias – government, IR, insurance
Example: Q3 to Q4 of last year, Trellix says the quantity of ransomware attacks being detected by its U.S.-based clients declined by 61%
https://www.trellix.com/en-us/threat-center/threat-reports/apr-2022.html
https://www.sophos.com/en-us/content/state-of-ransomware
https://newsroom.nccgroup.com/news/ncc-group-monthly-threat-pulse-march-2022-446743
https://securityandtechnology.org/ransomwaretaskforce/
https://securityandtechnology.org/ransomwaretaskforce/report/
Deter
REvil left the stage after a coordinated takedown of their infrastructure, several internal disputes, and members being arrested," says Trellix
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
Here is a generic *very* high level RaaS workflow.
1. Ransomware dev creates ransomware. They may do exploit dev as well.
2. Ransomware dev works with threat actor/group/access broker.
3. Threat actor/group/access broker Access broken identifies common techniques/exploits or purchased exploits from an exploit dev to gain access to the client.
4. Threat actor/group/access broker gains access to the client and deploys ransomware and data is encrypted.
5. Victim pays
6. The money get laundered.
7. The developers and access brokers get paid.
8. The decryption key is provided to the victim.
9. Data is recovered.
Notice that as a trend ransomware developers are giving the affiliates more control over the lifecycle, which means there is more likely to be variability in the TTPs used.
Emphasize: This is a cycle that continues to grow with each payout! Some of these groups have large budgets.
The highlighted section is the only thing we can control, so how can we better understand and defend here?
1,000 ransomware threat actors in operation.
Russian Sanctions = more IT out of work = more potential hackers
Russia was helping the US crack down
- https://www.bbc.com/news/technology-59998925
But now they aren’t and the seems to be a resurgence
- https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/
Trends towards giving the affiliate control over the whole process.
(the threat actor / group / access broker)
Additional Notes
Number of ransomware attackers actually going through with it:
https://www.coveware.com/blog/2022/3/25/how-the-russianukraine-war-may-lead-to-an-explosion-in-ransomware-attacks
1. Conti leak showed 62 individuals associated with the Conti group. Round to 100.
2. FBI IC3 report estimated conti accounted for 13% for ransomware attacks.
3. Coveware estimates there are approx. 1,000 ransomware threat actors in operation.
Additional Discussion
Eastern Europe/Russian territories have tech savvy populations without enough tech jobs.
Coveware speculates that has been driving increase in ransomware attackers.
Coveware also speculates that the Russian sanctions will reduce the number of available tech jobs further and drive more to cyber crime.
1,000 ransomware threat actors in operation.
Russian Sanctions = more IT out of work = more potential hackers
Russia was helping the US crack down
- https://www.bbc.com/news/technology-59998925
But now they aren’t and the seems to be a resurgence
- https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/
Trends towards giving the affiliate control over the whole process.
(the threat actor / group / access broker)
Additional Notes
Number of ransomware attackers actually going through with it:
https://www.coveware.com/blog/2022/3/25/how-the-russianukraine-war-may-lead-to-an-explosion-in-ransomware-attacks
1. Conti leak showed 62 individuals associated with the Conti group. Round to 100.
2. FBI IC3 report estimated conti accounted for 13% for ransomware attacks.
3. Coveware estimates there are approx. 1,000 ransomware threat actors in operation.
Additional Discussion
Eastern Europe/Russian territories have tech savvy populations without enough tech jobs.
Coveware speculates that has been driving increase in ransomware attackers.
Coveware also speculates that the Russian sanctions will reduce the number of available tech jobs further and drive more to cyber crime.
1,000 ransomware threat actors in operation.
Russian Sanctions = more IT out of work = more potential hackers
Russia was helping the US crack down
- https://www.bbc.com/news/technology-59998925
But now they aren’t and the seems to be a resurgence
- https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/
Trends towards giving the affiliate control over the whole process.
(the threat actor / group / access broker)
Additional Notes
Number of ransomware attackers actually going through with it:
https://www.coveware.com/blog/2022/3/25/how-the-russianukraine-war-may-lead-to-an-explosion-in-ransomware-attacks
1. Conti leak showed 62 individuals associated with the Conti group. Round to 100.
2. FBI IC3 report estimated conti accounted for 13% for ransomware attacks.
3. Coveware estimates there are approx. 1,000 ransomware threat actors in operation.
Additional Discussion
Eastern Europe/Russian territories have tech savvy populations without enough tech jobs.
Coveware speculates that has been driving increase in ransomware attackers.
Coveware also speculates that the Russian sanctions will reduce the number of available tech jobs further and drive more to cyber crime.
Let’s talk about where to start.
First things first, you need to understand how the detection pipeline works within your environment and understand the different between detection and response nuances.
Logging review
- You can’t respond to what you can’t see.
Detection review
- Identify potentially malicious behavior based on artifacts, correlations, or anomaly detection.
Alerts can sometimes use more complex logic than pure detections
Alerts can sometimes use more complex logic than pure detections
Use industry reports and intel feeds to help decide how to prioritize you detection development.
Focus on the techniques and procedures used the most across the group and those they may be an immediate threat.
6/7 can provide guidance on how to build rules generic
Threat intel could tell you that MAZE is a threat.
You can see the common techniques they use.
And the data sources associated with those techniques.
Let’s talk about where to start.
They aren’t using a novel techniques or procedures.
What’s in diagram shows they are mostly using techniques and procedures that have been around for the better part of two decades.
Let’s use psexec as a case study for procedures dissecting, also called a capability abstract, a term coined by Jared Atkinson.
Let’s talk about where to start.
Let’s talk about where to start.
Let’s talk about where to start.
All about ttp relationships.
Single entry to even four
Add 3 more entry options and now your at 16
Add 6 more attack phase and you at over 16k
Its seem unmanageable…
But when you over lay your TTP detection coverage you can start to see you blind spots
But when you over lay your TTP detection coverage you can start to see you blind spots
But when you over lay your TTP detection coverage you can start to see you blind spots
But when you over lay your TTP detection coverage you can start to see you blind spots
Use industry reports and intel feeds to help decide how to prioritize you detection development.
Focus on the techniques and procedures used the most across the group and those they may be an immediate threat.
6/7 can provide guidance on how to build rules generic
It’s getting better, but it’s still not great.
That’s why being proactive about building and measuring your capabilities is so important.